Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Lenovo preinstalls man-in-the-middle adware that hijacks HTTPS traffic on new PCs

Ian Paul | Feb. 23, 2015
Major technology companies just can't help tampering with our web traffic to deliver advertising. Security researchers recently discovered that consumer-grade Lenovo computers ship with software called Superfish Visual Discovery that injects advertising into websites on browsers such as Google Chrome and Internet Explorer.

Major technology companies just can't help tampering with our web traffic to deliver advertising. Security researchers recently discovered that consumer-grade Lenovo computers ship with software called Superfish Visual Discovery that injects advertising into websites on browsers such as Google Chrome and Internet Explorer.

Even worse, Superfish installs a self-generated root certificate into the Windows certificate store and then resigns all SSL certificates presented by HTTPS sites with its own certificate — the classic definition of a man-in-the-middle attack. It's a weakness that hackers could potentially use to steal sensitive data like banking credentials or just observe your web surfing activities.

Further reading: How to remove the dangerous Superfish adware preinstalled on new Lenovo PCs

The capability is being used to inject ads on encrypted sites. Even worse, according to Chrome security engineer Chris Palmer, Superfish appears to be using the same root certificate with the same weak RSA key on all affected Lenovo PCs, rather than generating unique encryption for each computer.

Removing the Superfish adware doesn't remove the rogue security certificate, either.

Superfish has been shipping on Lenovo PCs since at least mid-2014. In late January, Lenovo said in a support forum post that it was temporarily removing Superfish from consumer laptops due to unspecified "issues." 

"Lenovo removed Superfish from the preloads of new consumer systems in January 2015," a Lenovo representative said in an emailed statement. "At the same time Superfish disabled existing Lenovo machines in market from activating Superfish." The company is "thoroughly investigating all and any new concerns raised regarding Superfish," she said.

Why this matters: Shipping PCs with pre-installed software, also known as crapware or bloatware, is nothing new for Windows users. But usually this software is a free trial of anti-virus software, a productivity suite, or maybe a game. Lenovo's adware installation takes the crapware game to a whole other level by creating an unnecessary vulnerability in new PCs.

This is the third recent example of a technology company caught tampering with a users' browsing habits in the name of advertising dollars. In September, it was discovered that Comcast was injecting ads into user browsers at Xfinity public Wi-Fi hotspots, and Verizon is under fire for its ad-fueled super cookie that tampers with web traffic traversing the carrier's mobile network. But those were ISPs dumping ads over web traffic — a big difference from this case, where a PC manufacturer is essentially preloading PCs with software that essentially behaves as a man-in-the-middle attack.

Superfish or Super phish?

The main purpose of Superfish is to analyze images a user is viewing in the browser and then deliver advertising based on the contents of the image. The company also produces its own mobile apps that do something similar. Superfish's Like That Décor Furniture for Android, for example, lets you snap a photo of a couch or dresser you like. Then the app will show you similar furniture pieces from various retailers to help you find the best price.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.